Help with Windows Defender exclusion list

[umang]

Hi, my Laptop was affected by some virus and now there are multiple folders shown as exclusions in Windows Defender (doesn't get scanned).

My latest scan of using malware bytes came back clean, but i cannot delete the entries in windows defender as the remove button is greyed out.

 

Any help would be much appreciated. Thanks in advance

[AdvancedSetup]

Hello @umang

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.
 

Spoiler

 

 

 

 

 

Spoiler

 

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

 

 

STEP 01

• If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
• If you don't have Malwarebytes installed yet please download it from here and install it.
• Once installed then open Malwarebytes and select Scan and let it run.
• Once the scan is completed make sure you have it quarantine any detections it finds.
• If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Double-click to run the program
• Accept the End User License Agreement.
• Wait until the database is updated.
• Click Scan Now.
• When finished, if items are found please click Quarantine.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
• Please attach the Additions.txt log to your reply as well.
• On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

[umang]

Thanks for the quick response and sorry for the delayed response from my end.

 

Unfortunately i was not able to download AdwCleaner  from the link provided or directly from the Malwarebyte site ...keep getting an error saying " This site can’t be reached download.toolslib.net took too long to respond. "

Finally had to download the file from a different location 

Am attaching the files as requested. 

 

Thanks in advance.

 

FRST.txt MB detection.txt AdwCleaner[C00].txt AdwCleaner[S00].txt Addition.txt

[umang]

Please ignore the files above, i think i uploaded them before the scan was complete. Really sorry for the inconveniecne. 

 

Thanks for the quick response and sorry for the delayed response from my end.

 

Unfortunately i was not able to download AdwCleaner  from the link provided or directly from the Malwarebyte site ...keep getting an error saying " This site can’t be reached download.toolslib.net took too long to respond. "

Finally had to download the file from a different location 

Am attaching the files as requested. 

Addition.txt FRST.txt MB detection.txt AdwCleaner[S00].txt AdwCleaner[S01].txt

[Maurice Naggar]

Hello Umang.   My name is Maurice.  I will be helping you here while Advancedsetup is away for this week.

Thanks for the reports.   I understand you to indicate that there are some folders set in Windows Defender as "exclusions".  I will guide you to doing a few checks & attempt some adjustments.   We will start out with a custom script.

This script is intended for some specific cleanups like leftovers of some obsolete settings, as well as removing some unwanted restrictions of some system functions. It will also run the Windows System File Checker tool.   Keep in mind this is not a one-shot do-all fix.   We will  do some other steps after this here.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

The system will be rebooted after the script has run.

.

This custom script is for  Umang  only / for this machine only.

 
Close and save any open work files before starting this procedure.    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The  custom Fix script is going to be used by the FRST64  tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder

The tool named FRST64 .exe   tool    is already on the Downloads
Start the Windows Explorer and then, to the Downloads folder.

RIGHT click on  FRST64   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.   We will do more later on.   Thanks for your patience.

Fixlist.txt

[umang]

hi,

 

please find the log as requested.

 

The files/folders still appear in the exclusion list

I have also attached a snapshot of the some of the folders that are in the exclusion list ... the remove button is disabled and i could not find the folders either.

Hope this helps,

Umang

Fixlog.txt

[Maurice Naggar]

Thanks for the reports & this screen grab.   I am going to review the reports & soon, will have a new reply for you.   all of these folders are suspicious junk.

What follows is a first step to have Windows 10 show all files and folder. Do not let this spook you out.

There is a how-to at Tenforums. Use either option one or two or three

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

[Maurice Naggar]

 The custom Fix run is a good one.  Please be sure you are not self-medicating your pc on your own.  I am re-reviewing the FRST reports & I notice the presence of "Loaris Trojan Remover".   Have you been using that on your own?

I also see the mb-support support tool download.  Do you have a open help ticket with Malwarebytes Support ?

are you getting help at another venue currently ?   I want to know before we proceed.

[Maurice Naggar]

I have 2 posts above this one.   Be sure you do not overlook them.

I am sending a new script to attempt to find those oddly named sub-folders.  Be sure you Delete the old file Fixlist,txt  on your Downloads folder.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

The system will be rebooted after the script has run.   This run here should be super quick.

.

This custom script is for  Umang  only / for this machine only.

 
Close and save any open work files before starting this procedure.    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The  custom Fix script is going to be used by the FRST64  tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder

The tool named FRST64 .exe   tool    is already on the Downloads
Start the Windows Explorer and then, to the Downloads folder.

RIGHT click on  FRST64   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.  

Fixlist.txt

[umang]

8 hours ago, Maurice Naggar said:

 The custom Fix run is a good one.  Please be sure you are not self-medicating your pc on your own.  I am re-reviewing the FRST reports & I notice the presence of "Loaris Trojan Remover".   Have you been using that on your own?

I also see the mb-support support tool download.  Do you have a open help ticket with Malwarebytes Support ?

are you getting help at another venue currently ?   I want to know before we proceed.

I had downloaded it earlier, but have uninstalled it ...

[umang]

8 hours ago, Maurice Naggar said:

 The custom Fix run is a good one.  Please be sure you are not self-medicating your pc on your own.  I am re-reviewing the FRST reports & I notice the presence of "Loaris Trojan Remover".   Have you been using that on your own?

I also see the mb-support support tool download.  Do you have a open help ticket with Malwarebytes Support ?

are you getting help at another venue currently ?   I want to know before we proceed.

no i don't have an open ticket and am not self medicating ay more :),  only following your advice. 

 

For your information, i had manually deleted, most of the odd named files much earlier when the PC was infected, but unfortunately they still show in the exclusion list.

[Maurice Naggar]

I take it you were writing about the "trojan remover:.

I need you to go forward and run the custom script  that I wrote about.

 

[umang]

Enabled the view all folders and then ran the fixlist as instructed.

Attached are the results.

Fixlog.txt

[Maurice Naggar]

Thanks.  This next set should be our final set for our goal to clear the Windows Defender excluded folders-paths.

Be sure you Delete the old file Fixlist.txt  on your Downloads folder.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

The system will be rebooted after the script has run.   This run here should be super  duper quick.

.

This custom script is for  Umang  only / for this machine only.

 
Close and save any open work files before starting this procedure.    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The  custom Fix script is going to be used by the FRST64  tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder

The tool named FRST64 .exe   tool    is already on the Downloads
Start the Windows Explorer and then, to the Downloads folder.

RIGHT click on  FRST64   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.    Go into Windows Settings >> Virus and threat protection   & look at what is displayed ( if any) for Excluded folders.

Fixlist.txt

[umang]

hi, did as mentioned, but unfortunately the items are still there .. apparently access was denied ..

 

have attached the file. hope it help  Fixlog.txt

[Maurice Naggar]

Hi.  Thanks for the Fixlog report.  Yes, the registry key that has the exclusions is quite restricted.  Basically only Windows Defender can make any changes to it.

Thus if you cannot make changes using the GUI of the Windows Defender in Windows Settings, its time to give up the quest to get the old entries gone.  In any event, we have determined that the actual folders no longer physically exist.  Makes the exclusions moot.

This is a very long shot.  Maybe worth trying once.  See if you can get the system into Safe mode  and then try the Exclusion list adjustment as a test.

[Maurice Naggar]

Hi again.  Lets do one test and see if we have better luck.

Start a Elevated Powershell command prompt-window.               On the Windows taskbar, on the Search box, type in

powershell

Wait and look for the results list.  Click on the line that shows Powershell with "Run as Administrator".

Then you will see the Powershell window.              Into that, we want to Copy & Paste this entire line as is

Remove-MpPreference -ExclusionPath "c:\program files (x86)\gHUgOvOJIIE" -Force

then tap the Enter-key and wait and watch the result.   Relay that to me.   If there is a rejection or a glitch, see about getting a screen-grab of that and paste it into your next reply.   The goal here is to see whether we can get one folder-path exclusion removed.    meaning, one removal at a time.

Be very very sure that the Powershell is in a ELEVATED state  and that you copy & paste verbatim as-is

The trickiest part here is getting a good spelling of the sub-folder (s)

Edited December 17, 2020 by Maurice Naggar

[umang]

did what you suggested .. have attached a screen shot of the outcome

[Maurice Naggar]

There is no error or exception message, so that must have worked.   We want to keep that elevated Powershell running as is

and do another folder

we want to Copy & Paste this entire line as is

Remove-MpPreference -ExclusionPath "c:\program files (x86)\gnogaTRWAYUn" -Force

then tap the Enter-key and wait and watch the result.

Then go into Windows Settings >>> Exclusion list area   and grab & paste a new screen-gran image

[umang]

no error, but the files are still there ... 

Tried restarting to check if they get removed, but no luck ... attaching a screenshot for reference 

[Maurice Naggar]

Lets tweak what we were trying just a bit.  We first need to do one special specification

we want to Copy & Paste this entire line as is

Set-ExecutionPolicy Unrestricted

and then tap ENTER-key  and keep going with the next line.   [  That line above is only done 1 time for this session of Powershell }

Next

we want to Copy & Paste this entire line as is

Remove-MpPreference -ExclusionPath "c:\program files (x86)\gnogaTRWAYUn" -Force

then tap the Enter-key and wait and watch the result.

Next

we want to Copy & Paste this entire line as is

Remove-MpPreference -ExclusionPath "c:\program files (x86)\gHUgOvOJIIE" -Force

then tap the Enter-key and wait and watch the result.

[umang]

tried that and got this message ..

 

do i say Y or A ?

[Maurice Naggar]

A   YES  to all.     [  When we get all truly finished, we will get back to getting that to the normal setting.   For now, lets go forth }

I want to see if we can remove those 2    and later we can do the others.  just keep the Powershell window open

[umang]

sorry does not seem to work

 

[Maurice Naggar]

Lets do this.  Close all open screens.  Close the Powershell window.   and do a Windows RESTART.

Then take a new look on the Exclusions section.